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Abstract 

We  present  an  automatic  iterative  abstraction-refinement  methodology  in  which  the  initial 
abstract  model  is  generated  by  an  automatic  analysis  of  the  control  structures  in  the  program 
to  be  verified.  Abstract  models  may  admit  erroneous  (or  “spurious”)  counterexamples.  We 
devise  new  symbolic  techniciues  which  analyze  such  counterexamples  and  refine  the  abstract 
model  correspondingly.  The  refinement  algorithm  keeps  the  size  of  the  abstract  state  space 
small  due  to  the  use  of  abstraction  functions  which  distinguish  many  degrees  of  abstraction 
for  each  program  variable.  We  describe  an  implementation  of  our  methodology  in  NuSMV. 
Practical  experiments  including  a  large  Fujitsu  IP  core  design  with  about  500  latches  and 
10000  lines  of  SMV  code  confirm  the  effectiveness  of  our  approach. 
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1  Introduction 


The  state  explosion  proljlem  remains  a  major  hurdle  in  applying  model  checking  to  large 
industrial  designs.  Abstraction  is  certainly  the  most  important  technic|ue  for  handling  this 
problem.  In  fact,  it  is  essential  for  verifying  designs  of  industrial  complexity.  Currently, 
abstraction  is  typically  a  manual  process,  often  recpiiring  considerable  creativity.  In  order 
for  model  checking  to  be  used  more  widely  in  industiy,  automatic  techniciues  are  needed  for 
generating  abstractions.  In  this  paper,  we  descrilje  an  automatic  abstraction  technicpie  for 
ACTL*  specifications  which  is  based  on  an  analysis  of  the  structure  of  formulas  appearing 
in  the  program.  In  general,  our  technicpie  computes  an  upper  approximation  of  the  original 
program.  Thus,  when  a  specification  is  true  in  the  ahstract  model,  it  will  also  be  true 
in  the  concrete  design.  However,  if  the  specification  is  false  in  the  abstract  model,  the 
counterexample  may  be  the  result  of  some  Irehavior  in  the  appi'o.ximation  which  is  not  present 
in  the  original  model.  When  this  happens,  it  is  necessary  to  refine  the  abstraction  so  that  the 
behavior  which  caused  the  erroneous  counterexample  is  eliminated.  The  main  contribution 
of  this  paper  is  an  efficient  automatic  refinement  technicjue  which  uses  information  ol)tained 
from  erroneous  counterexamples.  The  refinement  algorithm  keeps  the  size  of  the  abstract 
state  space  small  due  to  the  use  of  abstraction  functions  which  distinguish  many  degrees  of 
abstraction  for  each  program  variable.  Practical  experiments  including  a  large  Fujitsu  IP 
core  design  with  alDout  500  latches  and  10000  lines  of  SMV  code  confirm  the  competitiveness 
of  our  implementation.  Although  our  current  implementation  is  based  on  NuSMV,  it  is  in 
principle  not  limited  to  the  input  language  of  SMV  and  can  be  applied  to  other  languages. 

Our  paper  follows  the  general  framework  established  by  Clarke,  Grumberg,  and  Long  [10]. 
We  assume  that  the  reader  has  some  familiarity  with  that  framework.  In  our  methodology, 
atomic  formulas  are  automatically  extracted  from  the  program  that  describes  the  model. 
The  atomic  formulas  are  similar  to  the  predicates  used  for  abstraction  by  Graf  and  Saidi  [14] 
and  later  in  [11,  20].  However,  instead  of  using  the  atomic  formuhi-  to  generate  an  abstract 
global  transition  system,  we  use  them  to  construct  an  explicit  abstraction  function.  The 
abstraction  function  preserves  logical  relationships  among  the  atomic  formulas  instead  of 
treating  them  as  independent  propositions.  The  initial  abstract  model  is  constructed  by 
adapting  the  existential  abstraction  techniques  proposed  in  [8,  10]  to  our  framework.  Then, 
a  traditional  model  checker  is  used  to  determine  whether  ACTL*  proj^erties  hold  in  the 
abstract  model  (ACTL*  is  a  fragment  of  CTL*  which  only  allows  universal  ciuantification 
over  paths).  If  the  answer  is  yes,  then  the  concrete  model  also  satisfies  the  property.  If  the 
answer  is  no,  then  the  model  checker  generates  a  counterexample.  Since  the  abstract  model 
has  more  behaviors  than  the  concrete  one,  the  ahstract  counterexample  might  not  be  valid. 
We  say  that  such  a  counterexample  is  spurious. 

In  our  methodology,  we  provide  a  new  symbolic  algorithm  to  determine  whether  an  ab¬ 
stract  counterexample  is  spurious.  If  the  counterexample  is  not  spurious,  we  report  it  to  the 
user  and  stop.  If  the  counterexample  is  spurious,  the  abstraction  function  must  be  refined  to 
eliminate  it.  In  our  methodology,  we  identify  the  shortest  prefix  of  the  abstract  counterex¬ 
ample  that  does  not  correspond  to  an  actual  trace  in  the  concrete  model.  The  last  abstract 
state  in  this  prefix  is  split  into  less  abstract  states  so  that  the  spurious  counterexample  is 
eliminated.  Thus,  a  more  refined  abstraction  function  is  obtained.  Note  that  there  may 
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be  many  ways  of  splitting  the  abstract  state;  each  determines  a  different  refinement  of  the 
abstraction  function.  It  is  desirable  to  obtain  the  coarsest  refinement  which  eliminates  the 
counterexample  because  this  corresponds  to  the  smallest  abstract  model  that  is  suitable  for 
verification.  We  prove,  however,  that  finding  the  coarsest  refinement  is  NP-ha.rd.  Because 
of  this,  we  use  a  polynomial-time  algorithm  which  gives  a  suboptimal  but  sufficiently  good 
refinement  of  the  abstraction  function.  The  applicability  of  our  heuristic  algorithm  is  con¬ 
firmed  by  our  experiments.  Using  the  refined  abstraction  function  obtained  in  this  manner,  a 
neAV  abstract  model  is  built  and  the  entire  process  is  repeated.  Our  methodology  is  complete 
for  the  fragment  of  ACTL*  which  has  counterexamples  that  are  either  paths  or  loops,  i.e., 
we  are  guaranteed  to  either  find  a  valid  counterexample  or  prove  that  the  system  satisfies 
the  desired  property.  In  principle,  our  methodology  can  be  extended  to  all  of  ACTL*. 

Using  counterexamples  to  refine  abstract  models  has  been  investigated  by  a  number  of 
other  researchers  beginning  with  the  localization  reduction,  of  Kurshan  [15].  He  models  a 
concurrent  system  as  a  composition  of  L-processes  Li,. . .  ,  (L-processes  are  described  in 
detail  in  [15]).  The  localization  reduction  is  an  iterative  techniciue  that  starts  with  a  small 
subset  of  relevant  T-processes  that  are  topologically  close  to  the  specification  in  the  variable 
dependency  graph.  All  other  program  variables  are  abstracted  away  with  nondeterministic 
assignments.  If  the  counterexample  is  found  to  be  spurious,  additional  variables  are  added  to 
eliminate  the  counterexample.  The  heuristic  for  selecting  these  variables  also  uses  informa¬ 
tion  from  the  variable  dependency  graph.  Note  that  the  localization  reduction  either  leaves 
a  variable  unchanged  or  replaces  it  by  a  nondeterministic  assignment.  A  similar  approach 
has  been  described  by  Balarin  in  [2].  In  our  approach,  the  abstraction  functions  e.xploit 
logical  relationships  among  variables  appearing  in  atomic  formulas  that  occur  in  the  control 
structure  of  the  program.  Moreover,  the  way  we  use  abstraction  functions  makes  it  possible 
to  distinguish  many  degrees  of  abstraction  for  each  variable.  Therefore,  in  the  refinement 
step  only  very  small  and  local  changes  to  the  abstraction  functions  are  necessary  and  the 
abstract  model  remains  comparatively  small. 

Another  refinement  technique  has  recently  been  proposed  by  Lind-Nielson  and  Ander¬ 
sen  [17].  Their  model  checker  uses  upper  and  lower  approximations  in  order  to  handle  all  of 
CTL.  Their  approximation  techniques  enable  them  to  avoid  rechecking  the  entire  model  after 
each  refinement  step  while  guaranteeing  completeness.  As  in  [2,  15]  the  variable  dependency 
graph  is  used  both  to  obtain  the  initial  abstraction  and  in  the  refinement  process.  Variable 
abstraction  is  also  performed  in  a  similar  manner.  Therefore,  our  absti’action-refinement 
methodology  relates  to  their  technique  in  essentially  the  same  way  as  it  relates  to  the  clas¬ 
sical  localization  reduction. 

A  number  of  other  papers  [16,  18,  19]  have  proposed  abstraction-refinement  techniques 
for  CTL  model  checking.  However,  these  papers  do  not  use  counterexamples  to  refine  the 
abstraction.  We  believe  that  the  methods  described  in  these  papers  are  orthogonal  to  our 
technique  and  may  even  be  combined  with  ours  in  order  to  achieve  better  performance.  A 
recent  technique  proposed  by  Govindaraju  and  Dill  [13]  may  be  a  starting  point  in  this 
direction,  since  it  also  tries  to  identify  the  first  spurious  state  in  an  abstract  counterexample. 
It  randomly  chooses  a  concrete  state  corresponding  to  the  first  spurious  state  and  tries  to 
construct  a  real  counterexample  starting  with  the  image  of  this  state  under  the  transition 
relation.  The  paper  only  talks  about  safety  properties  and  path  counterexamples.  It  does 
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not  describe  how  to  check  liveness  properties  with  cyclic  counterexamples.  Furthermore, 
our  method  does  not  use  random  choice  to  extend  the  counterexample;  instead  it  analyzes 
the  cause  of  the  spurious  counterexample  and  uses  this  information  to  guide  the  refinement 
process. 

Summarizing,  our  techniciue  has  a  numl^er  of  advantages  over  previous  work: 

(i)  The  technicpie  is  complete  for  an  important  fragment  of  ACTL*. 

(ii)  The  initial  abstraction  and  the  refinement  steps  are  efficient  and  entirely  automatic. 
All  algorithms  are  symbolic. 

(in)  In  comparison  to  methods  like  the  localization  reduction,  we  distinguish  more  degrees 
of  abstraction  for  each  variable.  Thus,  the  changes  in  the  refinement  are  potentially 
finer  in  our  approach. 

(iv)  The  refinement  procedure  is  guaranteed  to  eliminate  spurious  counterexamples  while 
keeping  the  state  space  of  the  abstract  model  small. 

We  have  implemented  our  new  methodology  in  NuSMV"  [6]  and  applied  it  to  a  number  of 
benchmark  designs  [6].  In  addition  we  have  used  it  to  debug  a  large  IP  core  being  developed 
at  Fujitsu  [1].  The  design  has  about  500  latches  and  10000  lines  of  Verilog  code.  Before 
using  our  methodology,  we  implemented  the  cone  of  influence  reduction  [8]  in  NuSMV  to 
enhance  its  ability  to  check  large  models.  Neither  our  enhanced  version  of  NuSMV  nor  the 
recent  version  of  SMV  developed  l)y  Yang  [23]  were  able  to  verify  the  Fujitsu  IP  core  design. 
However,  by  using  our  new  techniciue,  we  were  able  to  find  a  subtle  error  in  the  design.  Our 
program  automatically  abstracted  144  syml^olic  variables  and  performed  three  refinement 
steps.  Currently,  we  are  evaluating  the  methodology  on  other  complex  industrial  designs. 

The  paper  is  organized  as  follows:  Section  2  gives  the  basic  definitions  and  terminology 
used  throughout  the  paper.  A  general  overview  of  our  methodology  is  given  in  Section  3. 
Detailed  descriptions  of  our  abstraction-refinement  algorithms  are  provided  in  Section  4. 
Performance  improvements  for  the  implementation  are  described  in  Section  5.  Experimental 
results  are  presented  in  Section  6.  Future  re.search  is  discussed  in  Section  7. 

2  Preliminaries 

A  program  P  has  a  finite  set  of  variables  I’  =  {ci,  •  ■  -  ,u„},  where  each  variable  has  an 
associated  finite  domain  A,  •  The  set  of  all  possible  states  for  program  P  is  Dy^  x  ■  •  •  Dy^ 
which  we  denote  by  D.  Expressions  are  built  from  variables  in  V,  constants  in  Dy^,  and 
function  symbols  in  the  usual  way,  e.g.  Ui  T  3.  Atomic  formulas  are  constructed  from 
expressions  and  relation  symbols,  e.g.  Ui  +  3  <  5.  Similarly,  predicates  are  composed  of 
atomic  formulas  using  negation  (->),  conjunction  (A),  and  disjunction  (V).  Given  a.  predicate 

Atoms(p)  is  the  set  of  atomic  formulas  occurring  in  it.  Let  p  be  a  predicate  containing 
variables  from  V,  and  d  =  (c/i, . . .  ,d„)  be  an  element  from  D.  Then  we  write  d  \=  p  when 
the  predicate  obtained  by  replacing  each  occurrence  of  the  variable  Vi  in  p  by  the  constant 
dj  evaluates  to  true. 
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Each  variable  Vi  in  the  program  has  an  associated  transition  block,  which  defines  both 
the  initial  value  and  the  transition  relation  for  the  variable  Vi.  An  example  of  a  transition 
block  for  the  variable  Vi  is  shown  in  Figure  1,  where  A  C  D^-  is  the  initial  expression  for 


init(  (’,)  :=  A; 
next(Ui  )  :=  case 

Cl:  Ah 

rn  .  42. 

L  '  i  .  j 


C‘-  :  -4‘; 


esac; 


init(a')  :=  0; 
iiext(.r)  :=  case 

reset  =  TRUE  :  0; 
X  <y  \  a-  +  1; 

X  :  0; 

else  :  x\ 
esac; 


init(y)  :=  1; 
next(y)  :=  case 

reset  =  TRUE  :  0; 

[x  =  y)  A  ->(?/  =  2)  :  y  +  1; 
{x  =  y)  :  0; 
else  :  y; 
esac; 


Figure  1;  A  generic  transition  block  and  a  typical  example 

the  variable  Vi,  each  condition  Cf  is  a  predicate,  and  A-  is  an  expression.  The  semantics 
of  the  transition  block  is  similar  to  the  semantics  of  the  case  statement  in  the  modeling- 
language  of  SMV,  i.e.,  find  the  least  j  such  that  in  the  current  state  condition  C-  is  true  and 
assign  the  value  of  the  expression  A{  to  the  variable  Vi  in  the  next  state.  Common  hardware 
description  languages  like  Verilog  and  VHDL  can  easily  be  compiled  into  this  language. 

We  assume  that  the  specifications  are  written  in  a  fragment  of  CTL*  called  ACTL* 
(see  [10]),  where  atomic  formulas  are  used  at  the  lowest  level.  ACTL*  is  the  fragment  of 
CTL*.  where  negation  is  restricted  to  the  atomic  level,  and  path  quantification  is  restricted 
to  universal  path  quantification.  Assume  that  we  are  given  an  ACTL*  specification  ip,  and 
a.  program  P.  For  each  transition  block  Bi  let  Atoms(i?i)  be  the  set  of  atomic  formulas 
that  appear  in  the  conditions.  Let  Atoms((p)  be  the  set  of  atomic  formulas  appearing  in  the 
specification  (p.  Atoms(P)  is  the  set  of  atomic  formulas  that  appear  in  the  specification  or 
in  the  conditions  of  the  transition  blocks. 

Each  program  P  naturally  corresponds  to  a  labeled  Kripke  structure  M  =  {S,  I,  R,  L), 
where  S  —  D  is  the  set  of  states,  /  C  5  is  a.  set  of  initial  states,  R  C  S  x  S  is  a  transition 
relation,  and  L  :  S  ^  ig  a  labelling  given  by  L{d)  =  {/  €  Atoms(</?)  |  d  \=  /}. 

Translating  a  program  into  a  Kripke  structure  is  straightforward  and  will  not  be  described 
here.  ^ 

An  abstraction  h  for  a  program  P  is  given  by  a  surjection  h  D  —¥  D.  Notice  that  the 
surjection  h  induces  an  equivalence  relation  =  on  the  domain  D  in  the  following  manner:  let 
d,  e  be  states  in  D,  then 


d  =  e  iff  h{d)  =  h(e). 

Since  an  abstraction  can  be  represented  either  by  a  surjection  h  or  by  an  equivalence  relation 
=,  we  sometimes  switch  between  these  representations  to  avoid  notational  overhead. 

Assume  that  we  are  given  a  program  P  and  an  abstraction  function  h  for  P.  The  abstract 
Kripke  structure  M  =  {S,1,R,L)  corresponding  to  the  abstraction  function  h  is  defined  as 
follows: 
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Figure  2:  A1:)straction  of  a  Traffic  Light. 

1.  S  is  the  al^stract  domain  D. 

2.  I{(1)  iff  3d{li{(l)  —  d  A  1(d)). 

3.  R{chJ2)  ifF3r/i3d2(/7(di)  =  di  A  h{d2)  -  X2  A  R(dud2)). 

4.  L(d.)  —  (This  definition  will  be  justified  in  Theorem  2.1.) 

This  abstraction  technique  is  called  existential  abstraction  [8].  An  atomic  formula  / 
respects  an  abstraction  function  h  if  for  all  d  and  d'  in  the  domain  D,  (d  ~  r/')  (d  \=  f  ^ 
d'  1=  /).  Let  d  be  an  abstract  state.  L(d)  is  consistent.^  if  all  concrete  states  corresponding 
to  d  satisfy  all  labels  in  T(d),  i.e.,  for  all  d  G  /?"^(d)  it  holds  that  d  |=  A/g£(J‘)  f' 

Theorem  2.1  Let  h  be  an  abstraction  and  (p>  be  an  ACTL*  specification  where  the:  atomic 
subformulas  'respect  /?.  Then  the  following  holds:  (i)  L{el)  is  consistent  for  all  abstract  states 
cl  in  M ;  (it)  M  \=  (p>  M  \= 

In  other  words,  correctness  of  the  abstract  model  implies  correctness  of  the  concrete  model. 
On  the  other  hand,  if  the  abstract  model  invalidates  an  ACTL"*"  specification,  i.e.,  M  ^ 
the  actual  model  may  still  satisfy  the  specification. 


Example  2.1  Assume  that  for  a  traffic  light  controller  (see  Figure  2),  we  want  to  prove 
f  -  AG  AF(  state  =  red)  using  the  abstraction  function  /?.(r6d)  red  and  h(green)  = 
hfyellow)  =  go.  It  is  easy  to  see  that  M  |=  0  while  M  ^  There  exists  an  infinite  trace 
{rexf  go.,  go., . . . )  that  invalidates  the  .specification. 

If  an  abstract  counterexample  does  not  correspond  to  some  concrete  counterexample,  we  call 
it  spurious.  For  example,  (red,  go,  go, . . . )  in  the  above  example  is  a  spurious  counterexample. 

When  the  set  of  possible  states  is  given  as  the  product  Di  x  •  •  •  of  smaller  domains, 
an  abstraction  h  can  be  described  by  surjections  hi  :  Di  — ^  Di,  such  that  A(di, . . . ,  d.^) 
is  equal  to  (/ii(di ),...,  An(d„)),  and  D  is  equal  to  Di  x  —  ‘  Dn-  In  this  case,  we  write 
h  =  (hi,. ,  hn).  The  equivalence  relations  =/  corresponding  to  the  individual  surjections  hi 
induce  an  equivalence  relation  =  over  the  entire  domain  D  —  Di  x  •  —  x  Dn  m  the  obvious 
manner: 


(di,  *  *  *  ,  dy^ )  —  (cn,  •  ■  •  ,  Cji)  ilT  di  — 1  ci  A  *  •  *  A  dyj  — 
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In  previous  work  on  existential  abstraction  [10],  abstractions  were  defined  for  each  vari¬ 
able  domain,  i.e.,  Dj  in  the  above  paragraph  was  chosen  to  be  Dy-,  where  Dy-  is  the  set  of  pos¬ 
sible  values  for  variable  Vi.  Unfortunately,  many  abstraction  functions  h  ^n  not  be  described 
in  this  simple  manner.  For  example,  let  D  =  {0,1,2}  x  {0,1,2},  and  D  =  {0,1}  x  {0,1}. 
Then  there  are  4^  =  262144  functions  h  from  D  to  D.  Next,  consider  h  =  (/?i,/r2).  Since 
there  are  2^  =  8  functions  from  {0, 1,2}  to  {0, 1},  there  are  only  64  functions  of  this  form 
from  D  to  D. 

In  this  paper,  we  define  abstraction  functions  in  a  different  way.  We  partition  the  set 
V’  of  variables  into  sets  of  related  variables  called  variable  clusters  VCi, . . .  ,VCm,  where 
each  variable  cluster  VCi  has  an  associated  domain  DvCi  ■=  Ilvevc,  Consequently, 
D  =  Dyc^  X  •  •  •  Dvc„-  We  define  abstraction  functions  as  surjections  on  the  domains  Dye,, 

i.e.,  Dj  in  the  above  paragraph  is  equal  to  Dyci-  Thus,  the  notion  of  abstraction  used  in 
this  paper  is  more  general  than  the  one  used  in  [10]. 


3  Overview 

For  a  program  P  and  an  ACTL*  formula  (^,  our  goal  is  to  check  whether  the  Kri23ke  structure 
M  corresponding  to  P  satisfies  (f.  Our  methodology  consists  of  the  following  steps. 

1.  Generate  the  initial  abstraction:  We  generate  an  initial  abstraction  h  by  examining 
the  transition  blocks  corresponding  to  the  variables  of  the  program.  We  consider  the 
conditions  used  in  the  case  statements  and  construct  variable  clusters  for  variables 
which  interfere  with  each  other  via  these  conditions.  Details  can  be  found  in  Section  4.1. 

2.  Model-check  the  abstract  stnccture:  Let  M  be  the  abstract  Kripke  structure  corre¬ 
sponding  to  the  abstraction  h.  We  check  whether  M  \=  (p.  If  the  check  is  affirmative, 
then  we  can  conclude  that  M  \=  (f  (see  Theorem  2.1).  Suppose  the  check  reveals  that 
there  is  a.  counterexample  T.  We  ascertain  whether  T  is  an  actual  counterexample, 
i.e.,  a  counterexample  in  the  unabstracted  structure  M.  If  T  turns  out  to  be  an  actual 
counterexample,  we  report  it  to  the  user,  otherwise  T  is  a  spurious  counterexample, 
and  we  proceed  to  step  3. 

3.  Refine  the  abstraction:  We  refine  the  abstraction  function  h  by  partitioning  a  single 
equivalence  class  of  =  so  that  after  the  refinement  the  abstract  structure  M  correspond¬ 
ing  to  the  refined  abstraction  function  does  not  admit  the  spurious  counterexample  T. 
We  will  discuss  partitioning  algorithms  for  this  purpose  in  Section  4.3.  After  refining 
the  abstraction  function,  we  return  to  step  2. 


4  The  Abstraction-Refinement  Framework 

4.1  Generating  The  Initial  Abstraction 

Assume  that  we  are  given  a  program  P  with  n  variables  {I’l,--  -  ,Vn}-  Given  an  atomic 
formula  /,  let  var{f  )  be  the  set  of  variables  appearing  in  /,  e.g.,  var{x  =  y)  is  {x,y'\.  Given 
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a  set  of  atomic  formulas  IK  var(U)  equals  IJ/eff  Ill  general,  for  any  syntactic  entity 

A",  var{X)  will  be  the  set  of  variables  appearing  in  A".  We  say  that  two  atomic  formulas  /i 
and  f2  interfere  iff  var{f])  fl  vetr{  f2)  ^  0.  Let  =/  be  the  equivalence  relation  on  Atoms(P) 
that  is  the  reflexive,  transitive  closure  of  the  interference  relation.  The  ecjuivalence  class  of 
an  atomic  formula  /  €  Atoms(P)  is  called  the  formula  cluster  of  /  and  is  denoted  by  [/]. 
Let  /]  and  (2  be  two  atomic  formulas.  Then  var(  fi)  fl  var(  f2)  ^  0  implies  that  [/i]  =  [/2]. 
In  other  words,  a  vai'iable  v\  cannot  appear  in  formulas  that  belong  to  two  different  formula 
clusters.  Moreover,  the  formula  clusters  induce  an  eciuivalence  relation  =v  on  the  set  of 
variables  V’  in  the  following  way: 

Vi  =y  Vj  if  and  only  if  Vi  and  Vj  appear  in  atomic  formulas  that  belong  to  the 

same  formula  cluster. 

The  equivalence  classes  of  =v  are  called  variable  clusters.  For  instance,  consider  a  formula 
cluster  FC{  =  {tq  >  3, rq  =  U2}.  The  corresponding  variable  cluster  is  VCi  =  {ui,rr2}.  Let 
{FCi, . . . ,  FC,„}  be  the  set  of  formula  clusters  and  {I’Ci, . . . ,  V’Cm}  the  set  of  corresponding 
variable  clusters.  We  construct  the  initial  abstraction  /?  =  {hi, . . .  ,/?„,  )  as  follows.  For  each 
hi,  we  set  Dvc,  =  n.,Erc,  Dy,  i.e.,  Dvc,  is  the  domain  corresponding  to  the  variable  cluster 
VCi-  Since  the  variable  clusters  form  a  partition  of  the  set  of  variables  V ,  it  follows  that 
D  =  Dyc^  X  ■■•Dyc„,.  For  each  variable  cluster  V’C',;  =  {'c,j , . . . ,  iq-j.},  the  corresponding 
abstraction  /?,■  is  defined  on  Dye,  as  follows,  hfeli,  •  •  •  ,elk.)  =  hi{ei,  •  •  •  ,  e^)  iff  for  all  atomic 
formulas  /  G  PL',  . 

(ell,-  ■  ■  ,dk)  1=  /  (eq,  •  •  •  ,  Ck)  f=  /. 

In  other  words  two  values  are  in  the  same  equivalence  class  if  they  cannot  be  “distinguished” 
by  atomic  formulas  appearing  in  the  formula  cluster  PC,.  The  following  example  illustrates 
how  we  construct  the  initial  abstraction  h. 

Example  4.1  Consider  the  program  P  until  three  variables  x,y  G  {0,1,2},  and  reset  G 
{TRUE,  FALSE)  .shown  in  Figure  1.  The  set  of  atomic  formulas  is  Atoms(P)  =  {{reset  = 
TR.UE),(.r  =  y),{x  <  y),{y  =  2)}.  There  eire  two  formula  clu.sters,  FCi  =  {(.c  =  y),{^'  < 
y),{y  =  2)}  and  FCK  =  {{reset  =  TRUE)}.  The  corresponding  variable  clu.sters  are  {:?qy} 
and  {resetf,  respectively.  Consider  the  formula  cluster  FCf.  Values  (0,0)  and  (1,1)  are  in 
the  same  equivalence  class  because  for  all  the  eitomic  form  ulas  f  in  the  formxda  cluster  FCi 
it  holds  that  (0,0)  |=  /  i^(l,  1)  /.  It  can  be  shown  that  the  domain  {0, 1,  2}  x  {0, 1,2}  is 

partitioned  into  a  total  of  five  equivalence  chesses  by  this  criterion.  We  denote  these  classes 
by  the  natural  numbers  0,1, 2. 3, 4.  and  list  them  below: 

1  =  {(0,0),  (1,1)},  2  =  {(0,1)},  3  =  {(0,2),  (1.2)},  4  =  {(1,0),  (2,0),  (2, 1)},  5  =  {(2,2)} 

The  domain  {TRUE,  FALSE}  has  two  equivalence  classes  -  one  containing  FALSE  and  the 

TRUE.  Therefore,  we  define  two  ab.straction  functions  hi  :  {0,1,2}^  — >■  {0,1, 2, 3, 4} 
and  /?2  :  {TRUE,  FALSE}  — ^  {TRUE,  FALSE}.  The  first  function  hi  is  given  by  /?i(0,0)  = 
hi{l,l)  =  0,  hi{0,l)  =  1,  /^,i(0,2)  -  hi{l,2}  =  2,  ft.i(l,0)  =  /ri(2,0)  =  /ii(2,l)  =  3, 
/?.i(2,2)  =  4.  The  second  function  h.2  is  ju.st  the  identity  function,  i.e.,  h2{reset)  =  reset. 


4.2  Model  Checking  The  Abstract  Model 

Given  an  ACTL*  specification  ip,  an  abstraction  function  h  (assume  that  ip  respects  /^),  and 
a  program  P  with  a  finite  set  of  variables  V'  =  {I’l,  •  •  •  ,Vn},  let  M  be  the  abstract  Kripke 
structure  corresponding  to  the  abstractioi^unction  h.  We  use  standard  symbolic  model 
checking  procedures  to  determine  whether  M  satisfies  the  specification  (p.  If  it  does,  then  by 
Theorem  2.1  we  can  conclude  that  the  original  Kripke  strucKu'e  also  satisfies  p).  Otherwise, 
assume  that  the  model  checker  produces  a  counterexample  T  corresponding  to  the  abstract 
model  M.  In  the  rest  of  this  section,  we  will  focus  on  counterexamples  which  are  either 
(finite)  paths  or  loops. 


Figure  3:  An  abstract  counterexample 


4.2.1  Identification  Of  Spurious  Path  Counterexamples 

First,  we  will  tackle  the  case  when  the  counterexample  T  is  a  path  (^i,  •  •  •  Given  an 

abstract  state  J,  the  set  of  concrete  states  s  such  that  h{s)  =  s'  is  denoted  by  h~^(s),  i.e., 
h~'^(s)  =  {silfiis)  =  s}.  We  extend  h~^  to  seciuences  in  the  following  way;  h~^{T)  is  the  set 
of  concrete  paths  given  by  the  following  expression 

n  n— 1 

{(si,---  ,Sn)\/\h{Si)  =  51- A/(si)  A  /\  R(^Si,Si+i)}. 

i—l 

We  will  occasionally  write  to  emphasize  the  fact  that  h~^  is  applied  to  a  sequence. 

Ne.xt,  we  give  a  symbolic  algorithm  to  compute  h~^{T).  Let  Si  =  h~^{si)  fl  I  and  R  be  the 
transition  relation  corresponding  to  the  unabstracted  Kripke  structure  M.  For  1  <  i  <  n, 
we  define  S;  in  the  following  manner:  Si  Img{Si-i,  R)  G  /?,“^(^).  In  the  definition  of 
Si,  Img{Si-i,R)  is  the  forward  image  of  Si-i  with  respect  to  the  transition  relation  R. 
The  sequence  of  sets  Si  is  computed  symbolically  using  OBDDs  and  the  standard  image 
computation  algorithm.  The  following  lemma  establishes  the  correctness  of  this  procedure. 

Lemma  4.1  The  folloioing  are  equivalent: 

(i)  The  path  T  corresponds  to  a  concrete  counterexample. 
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I  ^ 

(a)  The.  set  of  concrete  paths  h~^(T)  is  non-empty. 

(Hi)  For  nil  1  <  i  <  n,  Si  7^  0. 

Suppose  that  condition  (iii)  of  Lemma  4.1  is  violated,  and  let  i  be  the  largest  index  such 
that  Si  7^  0.  Then  Si  is  called  the  foihire  .state  of  the  spurious  counterexample  T. 

'  Example  4.2  Consieler  a  program  with  only  one  voriable  with  elomeiin  D  =  {1,  •  •  ■  ,  12}.  .4s- 

sume  theit  the  eibstreiction  function  h  maps  .r  £  D  to  [(;?’  —  1)/3J  -f  1.  There  eire  four  ab.stract 
.  states  corresponeling  to  the  equivalence  cla.sses  {1.2,3}.  {4,5,6},  {7,8,9},  anei  {10,11,12}. 

We  call  these  ab.stract  steites  1.  2,  3,  anel  4.  The  transitions  between  steites  in  the  concrete 
moelel  are  indiceiteel  by  the  arrows  in  Figure  3:  small  elots  elenote  non-reach  able  states.  Sup¬ 
pose  that  we  obtain  an  ab.stract  countere.rample  T  =  (1,2, 3, 4).  It  is  easy  to  see  that  T 
is  spurious.  Using  the  terminology  of  Lemma  we  have  Si  =  {1,2,3},  S2  =  {4,5,6}, 
,S'3  =  {9},  anel  S4  =  0.  Notice  theit  ,S4  and  therefore  Img{Ss,  R)  are  both  empty.  Thus,  S3  is 
the  failure  .steite. 


Algorithm  SplitPATH(r) 

S  :=  h~^{s'i)  n  1 

j:^l 

while  (S'  7^  0  and  j  <  n)  { 
j  :=  i  4-  1 

./:=  l7ng{S,R)nh-HFj)  } 
if  S  7^  0  then  output  ’’counterexample  exists” 
else  output  j,  .Spiev 

Figure  4:  SplitPATH  checks  if  an  abstract  path  is  spurious. 


It  follows  from  Lemma  4.1  that  if  h~^{T)  is  empty  (i.e.,  if  the  counterexample  T  is 
spurious),  then  there  exists  a  minimal  i  (2  <  i  <  n)  such  that  5',  =  0.  The  symbolic 
Algorithm  SplitPATH  in  Figure  4  computes  this  number  and  the  set  of  states  the 

states  in  S-i-i  are  called  deael-end  states.  After  the  detection  of  the  dead-end  states,  we 
proceed  to  the  refinement  step  (see  Section  4.3).  On  the  other  hand,  if  the  conditions  stated 
in  Lemma  4.1  are  true,  then  SplitPATH  will  report  a.  “real”  counterexample  and  we  can 
stop. 

4.2.2  Identification  of  Spurious  Loop  Counterexamples 

Now  we  consider  the  case  when  the  counterexample  T  includes  a  loop,  which  we  write  as 
(.si,--  -  ,  .si)(.Si+i,  •  •  •  The  loop  starts  at  the  abstract  state  Sfili  and  ends  at  si,,.  Since 

this  case  is  more  complicated  than  the  path  counterexamples,  we  first  present  an  example 
in  which  some  of  the  typical  situations  occur. 
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,s? 


Figure  5:  A  loop  counterexample,  and  its  unwinding. 

Example  4.3  We  consider  a  loop  {fi){s2,  shown  in  Figure  5.  In  order  to  find  out 

if  the  abstract  loop  corresponds  to  concrete  loops,  ire  unwind  the  counterexample  as  dem.on- 
strated  in  the  figure.  There  are  two  situations  where  cycles  occur.  In  the  figure,  for  each  of 
these  situations,  an  example  cycle  (the  first  one  occurring)  is  indicated  by  a  fat  dashed  arrow. 
We  make  the  following  important  observations:  (i)  A  given  abstract  loop  may  correspond  to 
several  concrete  loops  o/ different  size,  (ii)  Each  of  these  loops  may  start  at  different  stages 
of  the  unwinding,  (in)  The  unwinding  eventually  becomes  periodic  (in  our  case  =  Sf), 
but  only  after  several  stages  of  the  unwinding.  The  size  of  the  period  is  the  least  common 
multiple  of  the  size  of  the  individual  loops,  and  thus,  in  general  exponential. 

We  conclude  from  the  example  that  a  naive  algorithm  may  have  exponential  time  complexity 
due  to  an  exponential  number  of  loop  unwindings.  The  following  surprising  theorem  however 
shows  that  a  iDolynomial  number  of  unwindings  is  sufficient.  Let  min  be  the  minimum  size 
of  all  abstract  states  in  the  loop,  i.e.,  min  =  min  Thnwind  denotes  the  the  finite 

«+l<j<n 

abstract  path  . . . ,  . . . ,  i.e.,  the  path  obtained  by  unwinding  the  loop 

part  of  T  min  +  1  times. 

Theorem  4.1  The  following  are  equivalent: 

(i)  T  corresponds  to  a  concrete  counterexample. 

(^^■)  pith  (^unwind)  is  not  empty. 

We  conclude  that  loop  counterexamples  can  be  reduced  to  path  counterexamples.  In  Fig¬ 
ure  6,  we  describe  the  algorithm  SplitLOOP  which  is  an  extension  of  SplitPATH.  In  the 
algorithm,  Tunwind  is  computed  by  the  subprogram  unwind.  The  subprogram  Loopliidex(j) 
computes  the  index  of  the  abstract  state  at  position  j  in  the  unwound  counterexample  Tunwind, 
i.e., 

Looplndex(j)  |  otherwise 

If  the  abstract  counterexample  is  spurious,  then  the  algorithm  SplitLOOP  outputs  a 
set  -Sprev  and  indices  k,p,  such  that  the  following  conditions  hold: 
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Algorithm  SplitLOOP(r) 


7niv  -  min{|/r'(.?;^i)|....,|/!~i(4)|} 

^umvind  =  unwind(T,  min  +  1) 

Compute  j  and  Sp,cv  as  in  SplitPATH(r„„vvind) 
k-  :=  Looplndex(j) 
p  :=  LoopIndex(j  +  1) 
output  Sp,.ev,k,p 

Figure  6;  SplitLOOP  checks  if  an  abstract  loop  is  spurious 

1.  The  states  in  5'p,ev  correspond  to  the  abstract  state  i.e.,  .5'p,ev  ^ 

2.  All  states  in  Ap,.ev  arc  reachable  from  H  I. 

3.  k  is  the  successor  index  of  p  within  the  loop,  i.e.,  if  p  =  ??  then  k  =  i  + 1,  and  otherwise 
k  =  p  1. 

4.  There  is  no  transition  from  a  state  in  5'prev  to  i.e.,  /m(/(5'pi.ev,  R)  H  is 

empty. 

5.  Therefore,  .fp  is  the  failure  state  of  the  loop  counterexample. 

Thus,  the  final  situation  encountered  is  indeed  very  similar  as  in  the  case  of  path  coun¬ 
terexamples.  Note  that  the  nontrivial  feature  of  the  algorithm  SplitLOOP  is  the  fact  that 
only  min  unwindings  of  the  loop  are  necessary.  The  correctness  of  this  approach  is  not 
trivial,  and  details  are  deferred  to  the  appendix. 


4.3  Refining  The  Abstraction 

First,  we  will  consider  the  case  when  the  counterexample  T  =  (^,  •  •  •  ,  Sn)  is  a  path.  Let  us 
return  to  a  i^revious  example  for  a  closer  investigation  of  failure  states. 

Example  4.4  Recall  that  in  the  spuiious  counterexample  of  Figure  3,  the  abstract  state  3 
was  the  failure  state.  There  are  three  types  of  concrete  states  in  the  failure  state  3; 

(i)  The  dead-end  state  9  is  reachable,  but  there  are  no  outgoing  transitions  to  the  next 
state  in  the  counterexample . 

(ii)  The  bad  state  7  is  not  reachable  but  outgoing  transitions  cause  the  spurious  coun¬ 
terexample.  The  spurious  coxinterexamples  is  caused  by  the  bad  state. 

(Hi)  The  irrelevant  state  8  is  neither  reachable  nor  bad. 

The  goal  of  the  refinement  methodology  described  in  this  section  is  to  refine  h  so  that  the 
dead-end  states  and  bad  states  do  not  belong  to  the  same  abstract  state.  Then  the  spurious 
counterexample  will  be  eliminated. 
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Figure  7:  Two  i^ossible  refinements  of  an  Equivalence  Class. 


If  T  does  not  correspond  to  a  real  counterexamj)le,  by  Lemma  4.1  (iii)  there  always  exists  a 
set  Si  of  dead-end  states,  i.e.,  Si  C  h~^{si)  with  1  <  ?'  <  n  such  that  Img{Si,  R)Cih~^{si^i)  = 
0  and  Si  is  reachable  from  initial  state  set  fl  I.  Moreover,  the  set  Si  of  dead-end 

states  can  be  obtained  as  the  output  .Sprev  of  SplitPATH  or  SplitLOOP.  Since  there  is  a 
transition  from  s],  to  in  the  abstract  model,  there  is  at  least  one  transition  from  a  bad 
state  in  h~^{si)  to  a  state  in  )  even  though  there  is  no  transition  from  Si  to  ), 

and  thus  the  set  of  bad  states  is  not  empty.  We  partition  h~^{Si)  into  three  subsets  -S'ip, 

and  Si^x  as  follows: 


Name 

Partition 

Definition 

dead-end  states 

s^ 

bad  states 

{s  e  h~Hsi)\3s'  e  h-\^-ry).R{s,s')} 

irrelevant  states 

Q. 

h^^isi)  \  (Sift  U  Si^y) 

Intuitively,  denotes  the  set 

of  dead-end  states,  i.e.,  states  in  that  are  reachable 

from  initial  states.  Si,i  denotes  the  set  of  bad  states, i.e.,  those  states  in  h~^{si)  that  are  not 
reachable  from  initial  states,  but  have  at  least  one  transition  to  some  state  in  h  The 

set  cannot  be  empty  since  we  know  that  there  is  a  transition  from  h~^{si)  to 
Si,x  denotes  the  set  of  irrelevant  states,  i.e.,  states  that  are  not  reachable  from  initial  states, 
and  do  not  have  a  transition  to  a  state  in  h~^{sifii).  Since  Si^i  is  not  empty,  there  is  a  spurious 
transition  Si  — >•  This  causes  the  spurious  counterexample  T.  Hence  in  order  to  refine 

the  abstraction  h  so  that  the  new  model  does  not  allow  T,  we  need  a  refined  abstraction 
function  which  separates  the  two  sets  Sifi  and  Si^u  be.,  we  need  an  abstraction  function,  in 
which  no  abstract  state  simultaneously  contains  states  from  Sifi  and  from  Si^\. 

It  is  natural  to  describe  the  needed  refinement  in  terms  of  equivalence  relations:  Recall 
that  h~^['s)  is  an  equivalence  class  of  =  which  has  the  form  Ey  x  •  •  •  x  Em,  where  each  Ei 
is  an  equivalence  class  of  =,-.  Thus,  the  refinement  =  of  =  is  obtained  by  partitioning  the 
equivalence  classes  Ej  into  subclasses,  which  amounts  to  refining  the  equivalence  relations 
=j.  The  size  of  the  refinement  is  the  number  of  new  equivalence  classes.  Ideally,  we  would 
like  to  find  the  coarsest  refinement  that  separates  the  two  sets,  i.e.,  the  separating  refinement 
with  the  smallest  size. 

Example  4.5  Assxim.e  that  we  have  two  variables  vi,V2.  The  failure  state  corresponds  to 
one  equivalence  class  Ey  x  E^,  where  Ey  =  {3,4,5}  and  E2  =  {7,8,9}.  In  Figure  1,  dead-end 
states  Si,o  are  denoted  by  0,  bad  states  Si,y  by  1,  and  irrelevant  states  by  x. 

Let  us  consider  two  possible  partitions  of  Ey  x  E2  • 
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.  Case  (a)  :  {(3, 4),  (5)}  x  {(7),  (8),  (9)}  (6  classes) 
•  Case  (h)  :  {(3),  (4, 5)}  x  {(7,9),  (8)}  (4  classes) 


Clearly,  case  (b)  yenerafcs  a  coarser  refinement  than  case  (a).  It  can  be  eeisily  checked  that 
no  other  refinement  is  coarser  than  (b). 

In  general,  the  problem  of  finding  the  coarsest  refinement  problem  is  computationally 
intractable. 

Theorem  4.2  The  problem  of  finding  the  coarsest  refinement  is  NP-hard. 

The  proof  is  provided  in  Appendix  B. 

We  therefore  need  to  obtain  a  good  heuristics  for  abstraction  refinement.  When  is 
empty,  there  is  a  polynomial  algorithm  which  can  find  the  coarsest  refinement.  The  algorithm 
PolyRefine  (  see  Figure  8)  corresponds  to  this  case.  Let  P^,Pj  be  two  projection  func¬ 
tions,  such  that  for  s  =  (f/i, . . . ,  ),  P^{^}  =  dj  find  P~ =  (d] , . . . ,  dj_i,  dj+i, . . . ,  f/„, ). 

Then  proj{Si,o,j,a)  denotes  the  projection  set  {P~(s)\P^(s)  =  a,s  €  Intuitively, 

the  condition  proj{SiflC-:^)  ^  pi^ojiSi.O', jib)  in  the  algorithm  means  that  there  exists 
(di,...,dj_i,d,+i,...,d„,)  e  proj{Sifl,j,a)  and  (di, . . . ,  dj_i ,  dj+i, . . . ,  d,„ )  ^  proj{SifiJ,b). 
According  to  the  definition  of  J,  a),  -Si  =  (di, . . .  ,dj_i,e,dj+i, . . .  ,d,„)  G  Sj-.o  and 

•^2  =  (di, . . . , dj_i, 6,  dj^-i, . . . ,  d„, )  ^  Si^oi  i-e.,  S2  ^  X.i-  The  only  way  to  separate  and  .S2 
into  different  equivalence  classes  is  that  a  and  b  have  to  be  in  different  equivalence  classes  of 
i.e.,  a  b. 


Algorithm  PolyRefine 


for  j  1  to  m  { 

for  every  a,  b  £  Ej  { 

if  proj{Si,o,ji  a)  7^  proj{SifiJ,  b) 
then  6)}  }} 


Figure  8:  The  algorithm  PolyRefine 


Lemma  4.2  U'lien  Sjx  =  0,  the  relation  ='■  computed  by  PolyRefine  is  an  equivalence 
relation  which  refines  =j  and  separates  5'i,o  and  .S'ij.  Furthermore,  the  equivalence  relation 
='■  is  the  coarsest  refinement  of=j. 

The  proof  of  this  lemma  is  provided  in  Appendix  B. 

Note  that  in  symbolic  presentation,  the  projection  operation  proj(Sifi,j,a)  amounts  to 
computing  a  generalized  cofactor,  which  can  be  easily  done  by  standard  BDD  methods. 
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/z-'(sri)  h-Hsi)  h-H^i) 


Figure  9:  Three  sets  Si^,  Si,i,  and  Si^x 

Given  a  function  f  :  D  {0, 1},  a  generalized  cofactor  of  /  with  respect  to  =  (Afc=p^A'  = 
dk)  is  the  function  fg  =  /(a^i, . . . ,  Xp-i,  dp, . . . ,  dg,  ,  a'„).  In  other  words,  fg  is  the 

projection  of  /  with  respect  to  g.  Symbolically,  the  set  Si^  is  represented  by  a  function 
fsid  :  D  {0,1},  and  therefore,  the  projection  proj{Si,o,j,a)  of  Sip  to  value  a  of  the  jth 
component  corresponds  to  a  cofactor  of  ^ . 

In  our  implementation,  we  use  an  heuristics  w'hich  is  based  on  the  following  corollary  to 
the  proof  of  Lemma  4.2. 

Corollary  4.1  Even  if  is  not  empty,  the  relation  =■  computed  by  Poly  Refine  is  an 
equivalence  relation  which  refines  =,  and  separates  Sip  and  ,5},i. 

Refinement  Heuristics  We  merge  the  states  in  Si^x  Mo  Si^i,  and  use  the  algorithm 
PolyRefine  to  find  the  coarsest  refinement  that  separates  the  sets  Sip  and  Sip  U  Si^x-  The 
equivalence  relation  computed  by  PolyRefine  in  this  manner  is  in  general  not  optimal,  but 
it  is  a  correct  refinement  which  separates  Sip  and.  Sip,  and  eliminates  the  spurious  coun- 
terexam.ple.  This  heuristic  has  given  good  results  in  our  practical  experiments. 

Since  according  to  Theorem  4.1,  the  algorithm  SplitLOOP  for  loop  counterexamples 
works  analogously  as  SplitPATH,  the  refinement  procedure  for  spurious  loop  counterexam¬ 
ples  works  analogously,  i.e.,  it  uses  SplitLOOP  to  identify  the  failure  state,  and  PolyRefine 
to  obtain  a  heurisitc  refinement. 

Our  refinement  procedure  continues  to  refine  the  abstraction  function  by  partitioning 
equivalence  classes  until  a  real  counterexample  is  found,  or  the  ACTL"*  property  is  verified. 
The  partitioning  procedure  is  guaranteed  to  terminate  since  each  equivalence  class  must 
contain  at  least  one  element.  Thus,  our  method  is  complete. 

Theorem  4.3  Given  a  model  M  and  an  ACTL*  specification  qpjvhose  counterexample  is 
either  path  or  loop,  our  algorithm  will  find  a  model  M  such  that  M  \=  p  ^  M  \=  p. 
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5  Performance  Improvements 

The  s,ymbolic  methods  described  in  Section  4  can  be  directly  implemented  using  BDDs.  Our 
implementation  uses  additional  heuristics  which  are  outlined  in  this  section.  For  details,  we 
refer  to  our  technical  report  [7]. 

Two-phase  Refinement  Algorithms.  Consider  the  spurious  loop  counterexample  T  = 
(1,2)“"  of  Figure  10.  Although  T  is  spurious,  the  concrete  states  involved  in  the  example 
contain  an  infinite  path  (1,1,...)  which  is  a  potential  counterexample.  Since  we  know  that 
our  method  is  complete,  such  cases  could  be  ignored.  Due  to  practical  performance  con¬ 
siderations,  however,  we  came  to  the  conclusion  that  the  relatively  small  effort  to  detect 
additional  counterexamples  is  justified  as  a  valuable  heuristic.  For  a  general  loop  counterex¬ 
ample  r  =  (si, . . .  ,s,)(s^,+i, . .  we  therefore  proceed  in  two  phases: 

(i)  We  restrict  the  model  to  the  state  space  -Sjocai  :=  (U]<)'<n  of  counterexample 

and  use  the  standard  fixpoint  computation  for  temporal  formulas  (see  e.g.  [8])  to  check  the 
property  on  the  Kripke  structure  restricted  to  Ajocai-  If  a  concrete  counterexample  is  found, 
then  the  algorithm  terminates. 

(ii)  If  no  counterexample  is  found,  we  use  SplitLOOP  and  PolyRefine  to  compute  a  re¬ 
finement  as  described  above. 

This  two-phase  algorithm  is  slightly  slower  than  the  original  one  if  we  do  not  find  a  con¬ 
crete  counterexample;  in  many  cases  however,  it  can  speed  up  the  search  for  a  concrete 
counterexample.  An  analogous  two  phase  approach  is  used  for  finite  path  counterexamples. 


T  2 


Figure  10:  A  spurious  loop  counterexample  (1,2) 
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Approximation.  Despite  the  use  of  partitioned  transition  relations  it  is  often  infeasible^ 
compute  the  total  transition  relation  of  the  model  M  [8].  Therefore,  the  abstract  model  M 
cannot  be  computed  from  M  directly.  In  previous  w'ork  [2,  10],  a  method  which  we  call  early 
approximation  has  been  introduced:  first,  abstraction  is  applied  to  the  BDD  representation 
of  each  transition  block  and  then  the  BDDs  for  the  partitioned  transition  relation  are  built 
from  the  already  abstracted  BDDs  for  the  transition  blocks.  The  disadvantage  of  early 
approximation  is  that  it  over-approximates  the  abstract  model  M  [9].  In  our  approach,  a 
heuristic  individually  determines  for  each  variable  cluster  I'  C,:,  if  early  approximation  should 
be  applied  or  if  the  abstraction  function  should  be  applied  in  an  exact  manner.  Our  method 
has  the  advantage  that  it  balances  overapproximation  and  memory  usage.  Moreover,  the 
overall  method  presented  in  our  paper  remains  complete  wdth  this  approximation. 

Lemma  5.1  Let  R  be  the  abstract  transition  relation  obtained  from  existential  abstraction. 
Let  be  a  partitioned  transition  relation  obtained  from  early  approximation.  Let 


15 


{^ombined}  the  final  partitioned  transition  relation  which  we  obtain  in  our  approach.  Then 

R  /^combined  y^combined  ^  yy.  yearly  _ 

Thus,  the  approximation  in  our  approach  indeed  is  intermediate  between  early  approxima¬ 
tion  and  exact  existential  abstraction.  Our  method  remains  complete,  because  during  the 
symbolic  simulation  of  the  counterexample  the  algorithms  SplitPATH  and  SplitLOOP 
treat  both  forms  of  overapproximations,  i.e.,  virtual  transitions  and  spurious  transitions,  in 
the  same  way. 

Abstractions  For  Distant  Variables.  In  addition  to  the  methods  of  Section  4.1,  we  com¬ 
pletely  abstract  variables  whose  distance  from  the  specification  in  the  variable  dependency 
graph  is  greater  than  a  user-defined  constant.  Note  that  the  variable  dependency  graph  is 
also  used  for  this  purpose  in  the  localization  reduction  [2,  15,  17]  in  a  similar  way.  How¬ 
ever,  the  refinement  process  of  the  localization  reduction  [15]  can  only  turn  a  completely 
abstracted  variable  into  a  completely  unabstracted  variable,  while  our  method  uses  interme¬ 
diate  abstraction  functions. 

A  user-defined  integer  constant  far  determines  which  variables  are  close  to  the  spec¬ 
ification  (f.  The  set  NEAR  of  near  variables  contains  those  variables  whose  distance  from 
the  specification  in  the  dependency  graph  is  at  most  far,  and  FAR  =  var{P)  -  NEAR  is  the 
set  of  far  variables.  For  variable  clusters  without  far  variables,  the  abstraction  function  re¬ 
mains  unchanged.  For  variable  clusters  with  far  variables  their  far  variables  are  completely 
abstracted  away,  and  their  near  variables  remain  unabstracted.  Note  that  the  initial  ab¬ 
straction  for  variable  clusters  with  far  variables  looks  similar  as  in  the  localization  reduction. 
However,  the  refinement  process  of  the  localization  reduction  [15]  can  only  turn  a  com¬ 
pletely  abstracted  variable  into  a  completely  unabstracted  variable,  while  our  method  uses 
intermediate  abstraction  functions. 


6  Experimental  Results 

We  have  implemented  our  methodology  in  NuSMV  [6]  which  uses  the  GUDD  package  [21]  for 
symbolic  representation.  We  performed  two  sets  of  experiments.  One  set  is  on  five  benchmark 
designs.  The  other  was  performed  on  an  industrial  design  of  a  multimedia,  processor  from 
Fujitsu  [1].  All  the  experiments  were  carried  out  on  a  200MHz  PentiumPro  PC  with  1GB 
RAM  memory  using  Linux. 

The  first  benchmark  designs  are  publicly  available.  The  PCI  example  is  extracted  from 
[5].  The  results  for  these  designs  are  listed  in  the  table. 


Design 

#Var 

#Prop 

1  NuSMV-l-COI 

NuSMV-l-ABS 

#COI 

Time 

\TR\ 

|MG| 

#ABS 

Time 

\TR\ 

\MC\ 

gigamax 

10(16) 

1 

0 

0.3 

8.346 

1822 

9 

0.2 

13151 

816 

guidance 

40(55) 

8 

30 

35 

140409 

30467 

.34-39 

30 

147823 

10670 

p-queue 

12(.37) 

1 

4 

0.5 

51651 

1155 

5 

0.4 

52472 

1114 

waterpress 

6(21) 

4 

0-1 

273 

34838 

129595 

4 

170 

38715 

3335 

PCI  bus 

50(89) 

10 

4 

2.343 

121803 

926443 

12-13 

546 

160129 

350226 

In  the  table,  the  performance  for  an  enhanced  version  of  NuSMV  with  cone  of  influence 
reduction  (NuSMV  -f  COI)  and  our  implementation  (NuSMV  +  ABS)  are  compared. 
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^Var  and  ^Prop  are  properties  of  the  designs:  #Var  =  x{y)  means  that  x  is  the  number 
of  symbolic  variables,  and  y  the  number  of  Boolean  variables  in  the  design.  ^Prop  is 
the  numljer  of  verified  properties.  The  columns  #COI  and  ^^ABS  contain  the  number  of 
symbolic  variables  which  ha\'e  been  abstracted  using  the  cone  of  influence  reduction  (^COI), 
and  our  initial  abstraction  (#.^BS).  The  column  ’’Time”  denotes  the  accumulated  running 
time  to  verify  all  ^^Prop  properties  of  the  design.  \TR\  denotes  the  maximum  number  of 
BDD  nodes  used  for  building  the  transition  relation.  \MC\  denotes  the  maximum  number 
of  additional  BDD  nodes  used  during  the  verification  of  the  properties.  Thus,  \T R\  +  \MC\ 
is  the  maximum  BDD  size  during  the  total  model  checking  process.  For  the  larger  examples, 
we  use  partitioned  transition  relations  by  setting  the  BDD  size  limit  to  10000. 

Although  our  approach  in  one  case  uses  50%  more  memory  than  the  traditional  cone  of 
influence  reduction  to  build  the  abstract  transition  relation,  it  recpiires  one  magnitude  less 
memory  during  model  checking.  This  is  an  important  achievement  since  the  model  checking 
process  is  the  most  difficult  task  in  verifying  large  designs.  More  signiflcant  improvement  is 
further  demonstrated  by  the  Fujitsu  IP  core  design. 

The  Fujitsu  IP  core  design  is  a  multimedia  assist  (MMA-ASIC)  processor  [1].  The  design 
is  a  system-on-a-chip  that  consists  of  a  co-processor  for  multimedia  instructions,  a  graphic 
display  controller,  peripheral  I/O  units,  and  five  bus  bridges.  The  RTL  implementation  of 
MM- ASIC  is  described  in  about  61,500  lines  of  Verilog-HDL  code.  After  manual  abstrac¬ 
tion  by  engineers  from  Fujitsu  in  [22],  there  still  remain  about  10,600  lines  of  code  with 
roughly  500  registers.  We  translated  this  abstracted  Verilog  code  into  9,500  lines  of  SMV 
code.  In  [22],  the  authors  verified  this  design  using  a  ’’navigated”  model  checking  algo¬ 
rithm  in  which  state  traversal  is  restricted  by  navigation  conditions  provided  by  the  user. 
Therefore,  their  methodology  is  not  complete,  i.e.,  it  may  fail  to  prove  the  correctness  even 
if  the  property  is  true.  Moreover,  the  navigation  conditions  are  usually  not  automatically 
generated. 

In  order  to  compare  our  model  checker  to  others,  we  tried  to  verify  this  design  using  two 
state-of-the-art  model  checkers  -  Yang’s  SMV  [23]  and  NuSMV  [6].  We  implemented  the  cone 
of  influence  reduction  for  NuSMV,  but  not  for  Yang’s  SMVh  Both  NuSMV-|-COI  and  Yang’s 
SMV  failed  to  verify  the  design.  On  the  other  hand,  our  system  abstracted  144  symbolic 
variables  and  with  three  refinement  steps,  successfully  verified  the  design,  and  found  a.  bug 
which  has  not  been  discovered  before. 


7  Conclusion  and  Future  Work 

We  have  presented  a  novel  abstraction  refinement  methodology  for  symbolic  model  checking. 
The  advantages  of  our  methodology  have  been  demonstrated  by  experimental  results.  We 
believe  that  our  technicpie  is  general  enough  to  be  adapted  for  other  forms  of  abstraction. 
There  are  many  interesting  avenues  for  future  research.  First,  we  want  to  find  efficient 
approximation  algorithms  for  the  NP-complete  separation  problem  encountered  during  the 
refinement  step.  Moreover,  in  a  recent  paper  [4],  the  fragment  of  ACTL*  that  admits  “trace”- 
like  counterexamples  (of  a  potentially  more  complicated  structure  than  paths  and  loops)  has 
been  characterized;  we  plan  to  extend  our  refinement  algorithm  to  this  language.  Since  the 
symbolic  methods  described  in  this  paper  are  not  tied  to  representation  by  BDDs,  we  will 
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also  investigate  how  they  can  be  applied  to  recent  work  on  symbolic  model  checking  without 
HDDs  [3].  We  are  currently  applying  our  technique  to  verify  other  large  examples. 
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APPENDIX 

A  Identification  of  Spurious  Loop  Counterexamples 

Let  f  =  (il,---  ,  •  •  •  ,s'ny  be  an  abstract  loop  counterexample.  For  an  index  j, 

let  denote  its  successor  index  in  the  counterexamiile,  i.e.,  n'^  =  i  -f  1,  and  for  j  <  n, 

=  i  +  i- 

Theorem  4.1  The  folloiomg  are  equivalent: 

(i)  T  corresponds  to  a  concrete  count erexample. 

(vi)  iiot  empty. 


19 


Proof.  Let  iis  first  start  with  some  easy  observations.  Recall  that  R  is  the  transition  relation 
of  the  Kripke  structure.  By  definition,  the  elements  of  Jlinwind)  are  all  the  finite  i?-paths 
P  of  the  form 


(*) 


for  which  the  following  two  properties  hold; 

1.  (ij  G  li~^{sj)  for  all  aj  in  P,  and 

2.  bj  E  b~^(sj)  for  all  bj  in  P. 

Each  such  path  P  has  length  £:=?'  +  {min  +  1)  x  (?r  —  i),  and  we  can  equivalently  write  P 
in  the  form 


(f/i, . . .  ,(/l) 


(**) 


with  the  properties 

1.  cli  E  h~^{si),  and 

2.  for  all  j  <  n,  if  clj  E  h~^{sk)  then  dj+i  E  h~^{s^). 

Recall  that  min  was  defined  to  be  the  size  of  the  smallest  abstract  state  in  the 
loop,  i.e.,  min{|/^“^(5^!!^)|, . . . ,  |/?~^(s^)|},  and  let  M  be  the  index  of  an  abstract  state  sm 
s.t.  |/?“^(sa/)|  =  min.  (Such  a  state  must  exist,  because  the  minimum  must  be  obtained 
somewhere. ) 

(i)  (ii)  Suppose  there  exists  a  concrete  counterexample.  Since  the  counterexample  con¬ 
tains  a  loop,  there  exists  an  infinite  R-path  I  =  (ci, . . .)  such  that  ci  E  h~^{si),  and  for  all 
j,  if  Cj  E  h~^{s'k)y  then  cj+i  E  h~^{s^).  According  to  (**),  the  finite  prefix  (ci, . . .  ,0^)  of  I 
is  contained  in  h~f^^{Tunwind),  and  thus  h~f  ^{Tun^«md)  is  not  emptj^ 

(ii)  — ?•  (i)  Suppose  that  /?pa\h (^unwind)  contains  a  finite  R-path  P. 

Claim:  There  exists  a  state  which  appears  at  least  twice  in  P. 

Proof  of  Claim:  Suppose  P  is  in  form  (*).  Consider  the  states  b\,f,  . . . ,  By  (*), 

all  b\,j  are  contained  in  h~^{sfii).  By  definition  of  Af,  however,  h~^{sM)  contains  only  min 
elements,  and  thus  there  must  be  at  least  one  repetition  in  the  sequence  . . . , 

Therefore,  there  exists  a  repetition  in  the  finite  R-path  R,  and  the  claim  is  proved.  □  (Claim) 

Let  us  now  write  P  in  form  (**),  i.e.,  P  —  (di, . . . ,  di)-,  and  let  a  repetition  be  given  by 
two  indices  a  <  ,/?,  s.t.  da  =  d^.  Because  of  the  repetition,  there  must  be  a  transition  from 
dp-\  to  da,  and  therefore,  da  is  the  successor  state  of  d/j_i  in  a  cycle.  We  conclude  that 

(di ,  .  .  .  ,  da—l) {da  1  •  •  •  1  d/3— 1 ) 

is  a  concrete  counterexample.  □ 
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A.l  Optimal  Abstraction  Refinement  is  NP-complete 


RecaJ]  that  in  figure  7,  we  liave  visualized  the  special  case  of  two  variables  and  two  equivaleuce 
relations  in  terms  of  matrices; 
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Ecjuivalence  Glass 

In  order  to  formally  capture  this  visualization,  let  us  define  the  Matrix  Squeezing  problem. 


Definition  A.l  Matrix  Squeezing 

Given  an  integer  constant  P  and  a  finite  (n,m)  matrix  laith  entries  0,  l,.r,  is  it  possible  to 
obtain  a  matrix  with  <  P  entries  by  iterating  the  following  operations: 


1.  Merging  two  compatible  rou's. 

2.  Merging  hoo  compatible  cohixnns. 

Two  7'ows  are  compatible,  if  there  is  no  position,  tvhere  one  row  contains  1  and  the  other 
I'ow  contains  0.  All  other  combinations  are  edlowed,  i.e.,  x  does  not  affect  compatibility. 
Merging  Uvo  rows  means  replacmg  the  t^oios  by  a  new  one  which  contains  1  at  those  positions 
where,  at  lea.st  one  of  the  two  columns  contained  1,  and  0  at  those  po.sitions,  where  at  lea.st 
one  of  the  two  columns  contained  0. 

For  columns,  the  defiintions  are  analogous. 

Since  Matrix  Squeezing  is  a  special  case  of  the  refinement  problem,  it  is  sufficient  to 
show  NP-hardness  for  Matrix  Squeezing.  Then  it  follows  that  the  refinement  problem  is 
NP-hard,  too,  and  thus  Theorem  4.2  is  proved. 

As  mentioned  Matrix  Squeezing  is  easy  to  visualize:  If  we  imagine  the  symbol  x  to  be 
transparent,  then  merging  two  columns  can  be  thought  of  as  putting  the  two  (transparent) 
columns  on  top  of  each  other.  Column  Squeezing  is  a  variant  of  Matrix  Squeezing, 
where  only  columns  can  be  merged,  and  the  number  of  rows  is  left  unchanged.  We  will  first 
show  NP-completeness  of  Column  Squeezing,  and  then  show  NP-completeness  of  Matrix 
Squeezing  by  a  reduction  from  Column  Squeezing. 

Definition  A. 2  Column  Squeezing 

Given  an  integer  constant  A  emd  a  finite:  {7i,m)  matrix  with  entries  0,  l,;r,  is  it  pos.$ible  to 
obteiin  a  matrix  with  <  A  columns  by  iterated  merging  o/ columns 

The  proof  wdll  be  by  reduction  from  problem  GT15  in  [12]: 

Definition  A. 3  Partition  Into  Cliques 

Given  an  undirected  gi'aph  iV,E)  emd  and  a  number  K  >  .3,  is  there  a  pai'tition  of  V  into 
k  <  K  classes,  such  that  each  class  induces  a  clique  on  {\\E)  f 


Theorem  A.l  (Karp  72)  Partition  Into  Cliques  is  NP -complete. 

Theorem  A. 2  Column  Squeezing  is  NP-complete. 


Proof:  Membership  is  trivial.  Let  us  consider  hardness.  We  reduce  Partition  Into  Cliques 
to  Column  Squeezing.  Given  a  graph  {V,E)  and  a  number  A,  we  have  to  construct  a 
matrix  M  and  a  number  A  such  that  M  can  be  squeezed  to  size  <  A  iff  ( V,  E)  can  be 
partitioned  in  <  K  cliques. 

We  construct  a  (|V'|,  |T|)  matrix  (aij)  which  is  very  similar  to  the  adjacency  matrix  of 

(V;A): 


f  1  if  i  =  i 

a,:,i  =  <  0  \{  {i,j)  ^  E,i  ^  j 
(  x  if  (i,j)  €  A,  ?:  j 


Assume  w.l.o.g.  that  V'  =  {1,...,??}.  Then  it  is  not  hard  to  see  that  for  all  i,j  €  V, 
columns  i  and  j  are  comi^atible  iff  (Ai)  £  A,  since  the  0  entries  in  the  matrix  were  chosen 
in  such  a  way  that  the  columns  corresponding  to  two  non-adjacent  edges  cannot  be  merged. 

By  construction,  ( V,  A)  contains  a  clicjue  C  with  vertices  ci , . . . ,  c/  iff  the  columns  ci , . . . ,  c; 
can  all  be  merged  into  one.  (Note  however  that  compatibility  is  not  a  transitive  relation.) 

Thus,  ( V",  A)  can  be  partitioned  into  <  K  cliques,  iff  the  columns  of  (uij)  can  be  merged 
into  <  K  columns.  Setting  A  =  K  concludes  the  proof.  □ 


Theorem  A. 3  Matrix  Squeezing  is  NP-complete. 

Proof:  Membership  is  trivial.  We  show  hardness  by  reducing  Column  Squeezing  to 

Matrix  Squeezing.  For  an  integer  n,  let  \hin{n)  \  denote  the  size  of  the  binary  representation 
of  n.  Given  an  (n,7n.)  matrix  M  and  a  number  A,  it  is  easy  to  construct  an  {n  +  l,m  + 
\bin(m  —  1)1)  matrix  B{M)  by  adding  additional  columns  to  A  in  such  a  way  that 

(i)  all  rows  of  B{M)  become  incompatible,  and 

(ii)  no  new  column  is  compatible  with  any  other  (new  or  old)  column. 

An  easy  construction  to  obtain  this  is  to  concatenate  the  rows  of  M  with  the  binary 
encodings  of  the  numbers  0, . . . ,  ?7r  —  1  over  alphabet  {0, 1},  such  that  the  ith  row  is  concate¬ 
nated  with  the  binary  encoding  of  the  number  z  —  1.  Since  any  two  different  binary  encodings 
are  distinguished  by  at  least  one  position,  no  two  rows  are  compatible.  In  addition,  we  add 
an  7?,  +  1st  row  which  contains  1  on  positions  in  the  original  columns,  and  0  on  positions  in  the 
new  columns.  Thus,  in  matrices  of  the  form  A(M),  only  columns  wAich  already  appeared 
in  M  (with  an  additional  0  symbol  below)  can  be  compatible. 

It  remains  to  determine  T.  We  set  F  :=  (A  16777(77?  —  1)|)  x  (tz  4-  !).□  The  summand 
1 6777  ( 777  -  1)1  takes  into  account  that  we  have  added  16777(777  -  1)|  columns,  and  the  factor 
(?7  ■+■  1)  takes  into  account  that  A  is  counting  columns,  while  F  is  counting  matrix  entries.  □ 
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Figure  11:  An  instance  of  Partition  into  Cliques,  and  its  reduction  images. 


Example  A.l  Figure  11  dernonsirates  Iwir  a  graph  instance  is  reduced  to  a  matrix  instance. 
Note  for  example  that  {1,2,3}  is  a  clique  in  the  graph,  and  therefore,  the  columns  1,2,3  of 
the  Column  Squeezing  problem  are  compatible.  In  the  Matrix  Squeezing  Instance, 
Columns  7, 8,  9  enforce  that  no  rows  can  be  merged.  Bo  w  7  guarantees  that  columns  7, 8, 9 
can  not  be  merged  with  columns  1, ...  ,6. 


B  Proofs  about  Path  Counterexamples 

Lemma  4.1.  The  following  are  equivalent: 

(i)  The  path  T  corre.sponds  to  a  concrete  counterexample. 

(ii)  The  set  of  concrete  paths  h~^{T)  is  non-empty. 

(Hi)  For  all  1  <  i  <  n,  Si  /  0. 

Proof:  (i)  (ii)  Assume  that  T  corresponds  to  a  concrete  counterexample  T  =  (si, . . . ,  s„). 
From  the  definition  of  T,  hisi)  =  si  and  s,-  €  h~^{si).  Since  T  is  a  trace  in  the  concrete 
model,  it  has  to  satisfy  the  transition  relation  and  start  from  initial  state,  i.e.  R{si,Si.^.i) 
and  Si  e  I.  From  the  definition  of  h~^(T),  it  follows  that  T  G  h~^{T). 

(ii)  — ^  (i)  Assume  that  h~^[T)  is  non-empty.  We  pick  a  trace  (si,...,Sn)  from  h~^{T). 
Then  (/?(si), . . .  ,/i(S„  ))  =  T,  and  therefore  T  corresponds  to  a  concrete  counterexample. 

(ii)  -p-  (iii)  Assume  that  h~^{T)  is  not  empty.  Then  there  exists  a  path  (si, . . .  ,s„)  where 
h{si)  =  s'i  and  S]  G  /.  Therefore,  we  haA^e  ..si  G  Si.  Let  us  assume  that  Si  G  Si.  By  the 
definition  of  h~^(T),  s,+i  G  Img{si,R)  and  s,+i  G  h~^{sffi).  Therefore,  G  .S’i+i,  since 

=  Iing{S{,  R)  n  h~^{sifl).  By  induction,  ,S',  ^  0,  for  i  <  n. 

(iii)  — f  (ii)  Assume  that  Si  ^  0  for  1  <  f  <  n.  We  choose  a  state  s„  G  5„  and  inductively 

construct  a  trace  backward.  Assume  that  .s,-  G  From  the  definition  of  5’i,  if  follows  that 
Si  G  Img{Si-i,  R)S\h~^{s'i)  and  Si-i  is  not  empty.  Select  s,_i  from  From  the  definition 
of  Si-i  C  h''^{sfCi).  Hence,  s;_i  G  h~^{siCi).  By  induction,  Si  G  5'i  =  h~^{Si)  H  /. 

Therefore,  the  trace  (si, . . .  ,s„)  that  we  have  constructed  satisfies  the  definition  of  /?.“^(T). 
Thus,  h~^{T)  is  not  empty.  □ 
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Ill  the  following,  we  prove  that  when  Si^x  is  empty,  there  exists  a  polynomial  algorithm  to 
find  the  coarsest  refinement.  Let  s  G  be  a  state  and  P^,P~  be  two  projection  func¬ 

tions,  such  that  for  .s  =  (cfi, . . . ,  d^),  P^(s)  =  dj  and  P~{s)  =  (di, . . . ,  d,_i,  dj+i, . . . ,  dm)- 
Note  that  this  definition  is  consistent  to  the  definition  in  Section  4.3.  Since  Si.x  is  empty, 
S'i.o  and  form  a  partition  of  h-^Si).  A  refinement  of  can  be  achieved  by  refining 

each  eciuivalence  relations  =j  (and  thus,  simultaneously,  the  abstraction  functions  hj). 

We  will  replace  each  eciuivalence  relation  =,  by  the  eciuivalence  relation  ='  in  the  following 
wa.}':  We  put  two  elements  a,  6  of  DvCj  in  the  same  equivalence  class  (symbolically,  a  b)  if 
and  onl}'  if  the  projection  sets  Pj^a  =  {Pf  (s)  =  a,  s  G  and  Pj^  =  {Pj  = 

b,  s  G  are  equal.  Intuitively,  this  means  that  any  two  states  which  only  differ  in  the  jth 
component  are  either  both  in  S'i.i  or  both  not  in  Si^i-  As  shown  in  Section  2,  the  equivalence 
relations  ='  (1  <  j  <  m)  define  an  eciuivalence  relation  ='  on  D. 

Lemma  4.2  When  Si, a-  =  0;  the  relation  ='  co7npiited  by  PolyRefine  is  an  equivalence 
relation  which  refines  =j  and  separates  Sift  and  Si,i .  Ftui.hermore,  the  equivalence  relation 

is  the  coarsest  refinement  of  =j. 

Proof:  First,  we  argue  that  ='  is  an  eciuivalence  relation: 

•  Reflexivity:  for  any  a  G  Ej,  (a,  a)  is  not  removed  from  =j,  therefore,  a  =j  a] 

•  Symmetry:  a  =j  b  implies  that  proj{Si,o,j,  a)  =  proj{Sifi-,j-  b).  According  to  PolyRe¬ 
fine,  (&,  a)  is  not  removed  from  =j.  Therefore,  b  ='  a; 

•  Transitivity:  assume  that  a  ='■  b  and  b  ='  c.  Then  proj{Sifl,j,a)  =  proj{Si,o,  j,b)  and 
proj{Si,o,j,b)  =  proj{Si,o,j,c).  Hence,  proj{SifiJ,a)  =  proj{Si,oJ,c).  This  implies 
that  a  ='  c. 

Secondly,  we  show  that  ='  is  a  correct  refinement,  i.e.,  for  any  two  states  sq  G  Si,i  and 
^2  €  Si.o,  si  S2.  Assume  that  there  are  two  states  Si  G  Ai,i  and  S2  G  Sip  where  Si  ='  S2. 
Also  assume  that  Si  ==  (di,...,dm)  and  S2  =  (ei,...,em)  where  dj  ='•  Cj.  Without  loss 
of  generality,  we  assume  that  dj  7^  ej  for  1  ^  j  ^  k  and  dj  =  e,  for  k  <  j  <  m  where 
1  <  A;  <  m.  Consider  another  state  S3  =  (ei,  d2, . . . ,  d,,*).  Since  ei  G  Ei,  dj  G  Ej  for 
1  <  j  <  m,  S3  G  h~^{si).  On  the  other  hand,  Si  ='  S3  because  di  =[  ei  and  dj  ='  dj 
for  all  j.  According  to  our  definition  of  =j,  any  two  states  which  only  differ  in  the  jth 
component  are  either  both  in  Si,i  or  both  not  in  Si,i.  Since  Si  G  Si,i,  it  follows  that  S3  G  Si,i. 
Furthermore,  we  consider  S4  =  (ei,  eq,  da, . . . ,  dm).  Following  the  same  argument,  S3  =  S4 
and  S4  G  A/q.  Therefore,  sq  ='  S4.  By  repeating  this  step  k  times,  we  will  obtain  that 
Si  ='  S2  and  S2  G  Ajq.  Hence,  Aq  0  Si,o  #  0-  This  contradicts  our  definition  of  A^q  and 
Ai'.o-  Therefore,  the  equivalence  relation  ='  partitions  A^q  and  Ai,o  into  different  equivalence 
classes. 

Finally,  we  prove  that  the  equivalence  relation  ='  defines  the  coarsest  refinement.  Towards 
contradiction,  we  assume  that  there  is  another  equivalence  relation  ="  which  defines  a  coarser 
refinement  than  =  and  it  eliminates  the  counterexample.  Note  that  a  coarser  refinement 
implies  that  there  are  a  fewer  number  of  equivalence  classes  generated  by  ="  than  =' .  This 
implies  that  there  exists  a  j  such  that  ="  generates  fewer  equivalence  classes  than  ='■. 
Therefore,  there  must  exist  two  elements  a,  be  Dvc,  where  a  b  but  a  =]  b.  According  to 
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the  definition  of  a  b  if  and  only  if  there  exist  two  states  Si  and  S2,  s.t.  =  ci, 

=  b  and  P~isi)  ~  ^”(-*^2),  however,  either  Si  6  A6'2  ^  5Vi  or  Si  ^  Si^i  A  82  G  5,^. 

We  will  first  consider  the  case  of  si  G  5'/,i  A  ^i2  ^  The  second  case  will  follow  the  same 
argument.  Because  is  empty,  S2  ^  Si,i  implies  that  .S2  G  5'^o-  On  the  other  hand,  a  ='■  b 
implies  that  Sj  82  according  to  the  definition  of  Therefore,  cannot  partition 
Sul  and  5^0  into  different  equivalence  classes,  i.e.,  it  cannot  eliminate  the  counterexample. 
Hence,  ='  defines  the  coarsest  refinement.  □ 

Theorem  4.3  Given  a  model  M  and  an  ACTL"^  specification  (p  whose  counterexample  is 
either  path  or  loop,  our  algorithm  will  find  a  model  M  such  that  M  |=  M  |=  p. 

Proof:  There  are  three  cases  to  consider. 

(i)  If  M  1=  then  M  \=  p  according  to  Theorem  2.1 

(ii)  If  M  ^  p,  and  the  generated  abstract  counterexample  is  not  spurious,  then  there 
exists  a  concrete  counterexample,  and  hence,  M  ^  p. 

(Hi)  If  M  ^  p,  and  the  generated  abstract  counterexample  is  spurious,  then  PolyRefine 
will  refine  the  abstraction.  Since  each  refinement  step  partitions  an  existing  equiva¬ 
lence  classe  into  strictly  smaller  equivalence  classes,  after  a  finite  number  of  steps  the 
equivalence  relation  will  become  the  equality  relation,  and  therefore  M  ~  A/.  Hence 
M  ^  p. 


□ 
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